Data protection policy
The protection of the privacy of our Users (you, your, or the User) is of paramount importance to KimboCare AG (we, us, our, KimboCare). The responsible and of course lawful processing of your data - in accordance with Swiss data protection legislation, in particular the Swiss Federal Data Protection Act (DPA) - is part of our corporate policy.
KimboCare has a dedicated data protection team, including a legal team and data protection engineers. Our goal is to ensure that your privacy and the security of your Personal Information are protected at all times and in a transparent manner.
To learn more about the key commitments we make to protect Patients' Personal Health Information, you can review our Patient Data Protection Policy and Subscribing Healthcare Professionals Data Protection Policy.
Who is responsible for processing your Personal Data?
The Controller is the person who determines the purposes and means of processing Personal Data. The Processor is a person who carries out data processing in accordance with instructions defining the essential parameters of data protection. He acts under the authority of the Controller and on the instructions of the Controller.
Depending on the activities involved, we may act as a Data Controller or Subcontractor on behalf of Healthcare Professionals.
a.KimboCare generally acts as a Processor of Personal Data collected in the context of the Services, in particular during (i) the administration and management of the directory of Healthcare Professionals; (ii) the creation and management of the personal or professional user account; (iii) the online appointment booking, and more generally the use of the KimboCare Platform.
b.KimboCare acts as a Subcontractor of the Healthcare Professionals (who then act as Data Processors) regarding the Personal Data collected in the context of any consultation or follow-up of the Patient.
3.However, whether we are acting as a Data Controller or Subcontractor, we take appropriate measures to ensure the protection and conﬁdentiality of the Personal Data we hold or process, in compliance with applicable legal provisions.
To enable KimboCare to provide User with the included Services, and subject to this User Agreement, User hereby grants to KimboCare a non-exclusive right to use and process data provided by User in connection with KimboCare’s operation of the included Service on User’s behalf.
KimboCare reserves the right to access, read, preserve, and disclose any information as it reasonably believes is necessary to (i) satisfy any applicable law, regulation, legal process or governmental request; (ii) enforce this User Agreement, including investigation of potential violations hereof; (iii) detect, prevent, or otherwise address fraud, security or technical issues; (iv) respond to user support requests; or (v) protect our rights, property or safety, or that of our users and the public; This includes exchanging information with other companies and organizations for fraud protection and spam prevention.
All the information securely collected are processed in our Microsoft's hosted data centers in West Europe and Africa.
How is Personal Information collected?
Personal Data collected from the User
We normally collect Personal Information directly from you when you interact with our Services or our employees. This is the case, for example, when you create a personal or business User Account or via forms or other documents that are completed in the course of using the Services.
A User may also provide us with Personal Information about a relative, provided that he or she has the right to provide such information to us.
If you do not wish to provide, or object to the use of, any information requested of you, you may not be able to access certain parts of the Platform or Services and we may not be able to fulfill your request.
Personal Data we collect automatically when using the Services
You can set certain permissions for the automatic collection of your Personal Information when you configure your device or web browser for the features available. For more information, please see our Cookie Usage Policy.
For Healthcare Professionals: Personal Data collected from third parties or public sources
For Healthcare Professionals and their Authorized Users only (e.g., physicians working in a practice that subscribes to the KimboCare Services), we may collect Personal Data from third parties or public sources. These may include physician registries or public databases.
The Personal Data we collect in this context is the name, surname, practice address and specialty of the Health Care Professional. It is used to create and make available to the general public a directory of Health Professionals, available on the Platform and/or to contact Health Professionals to offer them our Services.
The Data we collect as a Subcontractor
Healthcare Professionals and their Authorized Users may also enter information into the Platform when using the Services, e.g., in connection with patient record management. We process this data as a Subcontractor on behalf of the Healthcare Professionals (see Chapter 3). If you have any queries about this data, you should contact your Healthcare Professional directly (see Chapter 10).
All data provided to KimboCare through the use of the Services is and shall remain KimboCare property.
What Personal Information do we collect and why?
The categories of data we collect and the purposes for which we use it are described in detail under the link Purposes and Processing of Personal Data Collected.
As a responsible organization that respects your privacy, we do not process your Personal Data to create a profile of you (profiling), nor do we make decisions that have legal effects on you exclusively based on automated processing (automated individual decision).
With whom and why do we share your Personal Information?
In certain circumstances, we may share your Personal Information with third parties, e.g., in connection with the provision of our Services, if necessary for the performance of the Services or for other legitimate reasons.
- The Health Care Professional (and his or her team) that you have chosen in order to confirm your appointment, including the online consultation with the relevant Health Care Professional. We transmit the relevant booking data to the Healthcare Professional you have chosen, who may store and manage your data in their own system or ours. We may also transmit information about your interactions with the Healthcare Professional in connection with litigation. The Healthcare Professional is solely responsible for handling your Personal Data in the course of a treatment or consultation in accordance with the Data Protection Act, including determining who within its organization has access to your Personal Data.
- For more information on how Healthcare Professionals process your Personal Data, please contact the relevant Healthcare Professional directly.
- Certain Subcontractors: We use subcontracted service providers, such as communications, payment, or IT/software service providers, who process your Personal Information in connection with the services they provide to us. All service providers are subject to confidentiality obligations and are bound by data processing agreements. The list of our subcontractors is presented on the link: List of subcontractors
- To other third parties where legally required. We may also disclose your Personal Data when we have a legal necessity or legitimate interest in doing so, for example (i) to comply with a request from a judicial authority or pursuant to a legal obligation; (ii) to bring or defend a legal claim; or (iii) in connection with restructuring, including if we transfer our assets to another company.
- In addition, if you use a Service that we provide to the Healthcare Professional with whom you work, we share certain data with the Healthcare Professional, such as interaction data and diagnostic data, to enable the Healthcare Professional to administer the Services.
The Service is a secure and convenient way to send Health Credits to family members and other people that you trust. However, scams and fraudsters are abundant, and you should be cautious of deals or offers that seem too good to be true. We urge you not to send Health Credits to anyone that you do not know personally or that has not been recommended and certified by KimboCare as a trustworthy Recipient. Take care to safeguard your password, do not send or request for others, and use KimboCare for legal purposes only. KimboCare should not be held liable for any loss or damages resulting from the fraudulent access to the User’s Account or Profile. Please let us know immediately if you believe someone is trying to scam or defraud you or if your username or password has been lost or stolen.
KimboCare will comply with all applicable privacy and data security laws and regulations to ensure the protection and security of your data. If you are aware of anyone or any entity that is using the Service inappropriately, please contact us at the email address indicated on our Website.
Do we transfer Personal Data overseas?
We host Users' Personal Data on servers located in Switzerland.
As a general principle, we do not transfer or make available your Personal Information to other countries. However, under certain circumstances, your Personal Information may be made available to recipients located abroad. You can find a list of the specialized service providers we use here. Personal Data will only be transferred abroad if the applicable legal requirements are met. Our service providers abroad are obliged to observe data protection to the same extent as we do. If the level of data protection in a country is not equivalent to that in Switzerland, we ensure contractually that the protection of Personal Data is always equivalent to that in Switzerland, for example by signing the EU standard contractual clauses.
If you transmit data to us, you are deemed to consent to such data transfers. You may request additional information in this regard and obtain a copy of the relevant guarantees upon request by sending a request to [email protected]
How long do we keep your Personal Information?
We delete or anonymize your Personal Information as soon as it is no longer necessary for the purposes described under the link Purposes and processing of Personal Information collected. This period varies depending on the type of data involved and the applicable legal requirements. The following rules apply:
- Personal Data collected as part of the performance of the contractual relationship between KimboCare and you (e.g., for the use of our Services) is retained for the duration of the contractual relationship, as long as you have an active personal or business User Account, and then its archived for the legal retention period. Professional User Account information is retained for the duration of the contractual relationship with the subscribing Healthcare Professional.
- Data collected based on your consent is retained until you revoke your consent.
- Personal Data collected for our legitimate interests, e.g., for market research, legal purposes, or to improve our services, is retained for as long as necessary to achieve those purposes.
- In addition, we must retain Personal Data for a longer period of time if this is necessary to comply with a legal obligation (e.g., accounting rules or tax law), by order of an authority, or in connection with legal proceedings. Certain information relating to the contractual relationship, for example, must be kept for at least 10 years and certain data relating to care services for at least 20 years.
- You can find more information on each type of processing in the document "Purposes and Processing of Personal Data".
- We determine the retention periods for Personal Data only in our capacity as Data Controller. In the case of processing carried out in our capacity as Processor (see Art. 3 above), we act only on the instructions of the Controllers and do not determine the retention period ourselves. If you have any questions about the retention period of Personal Data for which KimboCare acts as a Processor, we recommend that you contact your Healthcare Professional, the Data Controller, directly. Taking into account the legal obligations of archiving imposed on the Health Professionals, they are likely to keep, on their own tools, the Personal Data of the Users for longer periods than those indicated above aﬁn order to ensure to the Patients a medical follow-up and an optimal care.
What are your rights?
You may exercise various rights with respect to the data we process. In particular, you have the right to do the following, within the limits of the law:
- Obtain information about the Personal Data we process about you.
- Have that data verified and corrected at any time.
- Request the deletion or suppression of Personal Data.
- Withdraw your consent at any time.
- Object to the processing of your Personal Data.
- Obtain your Personal Data in an interoperable format or have it transferred to another controller (right to portability).
- If you ask us to delete your Personal Data from our systems, we will comply with your request, unless we need to retain your data for a legal or other legitimate reason. Please note that any information we have saved may remain in back-up storage for some time after your request for deletion.
- The above does not limit any other rights you may have under applicable data protection legislation in certain circumstances.
- In addition, you have the right to lodge a complaint with the competent supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner. Although it is not mandatory, we recommend that you contact us in advance as we may be able to respond directly to your request.
How to exercise your rights?
For all inquiries regarding Personal Data for which we act as Data Controller (see Chapter 3)
Please contact us directly at [email protected].
You will need to indicate in your email the Personal Data to which your request relates and provide any information necessary for us to verify your identity.
For all requests concerning Personal Data for which we act as a Subcontractor
You should contact your Healthcare Professional, the Data Controller.
At the request of the Healthcare Professional you have contacted, we may assist them in following up on your request, but we will not be able to respond directly to the request.
How do we protect your Personal Information?
We take appropriate technical and organizational security measures to ensure the security of the processing and confidentiality of Personal Data, and to prevent unauthorized access to and unauthorized transmission, modification or destruction of such data. Security measures are continuously improved in line with technological developments.
As such, KimboCare takes all useful precautions, in light of the nature of the Personal Data and the risks presented by the processing, aﬁn order to preserve the security of the Personal Data and, in particular, to prevent them from being damaged, or from being accessed by unauthorized third parties (physical protection of the premises, authentication processes with personal and secure access via conﬁdential identiﬁants and passwords, logging of connections, encryption of certain Personal Data).
KimboCare also conducts regular penetration testing to monitor, evaluate and assess the eﬃcacy of the security measures in place on a regular basis.
If we have reasonable grounds to believe that an unauthorized person has accessed your Personal Data, and applicable law requires notification, we will promptly notify you of this event via your personal or business User Account, by email (if we have your address) and/or by any other communication channel (including by posting a notice on the Platform).
You will be notified of any changes affecting you regarding our processing of your Personal Data by any appropriate means, including by email and/or via the Platform (e.g., by means of banners, pop-ups or other notification mechanisms). If you do not agree to the changes made, you must stop accessing and/or using the affected Service.
How can you contact us?